On demand expansion available for Security Gateways of all sizes
Introduces new and simple ways to architect and manage cyber security
Delivering the highest standard of resiliency with Telco-Grade Technology
Welcome to Check Point’s Cyber Security Platform. R81 is the industry’s most advanced Threat Prevention and security management software that delivers uncompromising simplicity and consolidation across the enterprise. Whether it is deploying the latest technologies and security to protect the organization or expertly crafting security policies, R81 new features include: Infinity Threat Prevention, the industry’s first autonomous Threat Prevention system that provides fast, self-driven policy creation and one-click security profiles keeping policies always up to date. Policies are installed in seconds, upgrades require only one click, and gateways can be simultaneously upgraded in minutes. R81 further features secure connectivity for encrypted traffic utilizing the latest standards including TLS 1.3 and HTTP/2. In addition, the Scalable Platform software is now aligned with the R81 Cyber Security Platform bringing feature parity to Check Point Maestro.
Infinity Threat Prevention is an innovative management model that:
Provides zero-maintenance protection from zero-day threats, and continuously and autonomously ensures that your protection is up-to-date with the latest cyber threats and prevention technologies.
Empowers administrators with out-of-the-box policy profiles based on business and IT security needs.
Streamlines the configuration and deployment of policy profiles across gateways.
Provides simple and powerful customization to best serve your organization’s needs.
Manage your custom intelligence feeds through SmartConsole. Add, delete or modify IoC feeds fetched by the Security Gateways as well as import files in a CSV or STIX 1.x formats.
FTP protocol inspection with Anti-Virus and SandBlast Threat Emulation.
Improved use of IoCs for indicators based on source IPv4 and IPv6 addresses.
Note - Administrators can still perform granular manual changes to override Check Point’s recommended policies and profiles.
Automatic Engine Updates – Like the automatic updates to the Threat Emulation engines, you can now receive Threat Extraction updates automatically on your gateways. There is no need to update to a hotfix or a major version. Security improvements, new features and more do not require intervention.
Anti-Virus and SandBlast Threat Emulation
Enhanced Support for Archive Files – includes significant improvements in handling archive files:
Support for password protection for all supported file types, including .7z and .rar. For more details, please refer to sk112821.
An improved mechanism to “guess” passwords automatically when it opens password protected archives for emulation.
Added support for password-protected archives when the password includes Unicode characters.
Faster delivery of an emulation verdict for documents with embedded files.
Enhanced Support for Password-Protected Documents:
Admins can now configure a default action for password-protected documents. If such a file is emulated, the file is allowed or blocked by default. To configure a default action, follow the instructions in sk132492.
New File Types and Protocols:
Attachments from Nested MSG Files - Threat Emulation now supports emulation for files that attach to MSG files that attach to other MSG files.
SCP and SFTP file transfers can be scanned using SSH Deep Packet Inspection.SMBV3 Multi-Channel Connections – Multi-channel file transfer is on by default on all Windows operating systems. The Check Point Gateway is now the only one in the market that inspects large file transfers through SMBv3 (3.0, 3.0.2, 3.1.1) over multi-channel connections.
Enhanced Logging for Emulated Archive Files:
The archive file log includes the names of all the files inside.
A new log generates for every extracted file from the archive with its emulation results. This log contains the name of the archive file. Logs correlate easily between the archive file and those of the files it contains.
Importing SHA-256 IOCs - Anti-Virus now supports SHA-256 hashes as Indicators of Compromise (IOCs). Administrators can import SHA-256 IOCs manually or connect the gateway to a live feed of SHA-256 IOCs. For more information, refer to sk132193.
Replacing the Threat Emulation API Certificate – Administrators can now upload their own certificate to use for Threat Emulation API calls to their Threat Emulation appliance. For more information, refer to sk160693.
Enhanced Support for POP3 and IMAP protocols - Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail over the POP3 protocol and improve inspection of e-mail over the IMAP protocol.
Enhanced Protection against BaseStriker - MTA Gateways now protect against malicious emails with URLs that use the BaseStriker technique.
Bounce Messages Behavior Change - Modifies the configuration of the MTA so that it tries to send bounce messages only once whether it reaches its destination or not.
Enhanced Threat Emulation inspection for files behind shortened links - The body of an email sometimes includes customized Bitly links that point to files. With this release, Threat Emulation scans the files behind these links to detect zero-day attacks. This capability requires Threat Emulation and Anti-Virus to be enabled and MTA must be configure for the Security Gateway
Dynamic, Domain and Updatable Objects can be used in Threat Prevention and HTTPS Inspection Policies.
Domain objects enchantment - DNS passive learning. For more information see sk161612.
HTTPS Inspection supports the FutureX Hardware Security Module (HSM) by storing outbound HTTPS Inspection cryptographic keys and certificates on the HSM server.
Check Point's Security Gateway now supports HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
Implementation of TLS 1.3 for SSL inspection.
Note - TLS 1.3 is off by default and is only applicable when USFW is used.
Support an unlimited number of languages in UserCheck objects.
Improved scalability and resilience.
Extended troubleshooting capabilities.
Improved performance, diagnostics and monitoring tools.
Voice over IP (VoIP)
Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.
Remote Access VPN
Machine Certificate Authentication - use machine certificate to distinguish between corporate and non-corporate assets adding the ability to restrict access to corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).
Significant performance improvements for Remote Access VPN clients in Visitor Mode.
Support for strongSwan IPsec clients on different Linux distributions.
Concurrent Security Policy installation - One or more administrators can run multiple installation tasks of different policies on multiple gateways at the same time.
NAT Rule Base
Support for Domain objects, Updatable objects, Security Zones, Access Roles and Data Center objects.
A hit count for NAT rules.
Identity Awareness nested groups - Discovers all the groups a user belongs to from the branch specified in the LDAP account unit in one query.
Enhancements to Terminal Servers Agent for better scaling and compatibility.
Security ID (SID) support for Identity Awareness - Move users and groups to different LDAP Organizational Units without the need to modify the Access Role Policy. Note: Security ID (SID) feature is off by default. Refer to R81 Identity Awareness Administration Guide for more information.
Ability to configure multiple ciphers for external Gateways in a single VPN community. Use granular encryption methods between two specific VPN peers.
Support for SHA-512 encryption method.
A fresh and modern user interface with improved user experience:
Redesigned scan results.
Discontinued the SNX connection pop-up.
Greater accessibility for non-English speakers.
Launch all applications in separate tabs without losing the main page window.
One click sign-out.
Simplified customization to easily utilize brand identities.
Full support for mainstream browsers that run on all major platforms.
Clientless RDP and SSH access through Mobile Access Blade's browser portal using Apache's Guacamole™ software suite.
Support for custom AD attributes to allow mapping of end-users to their office desktops for personalized portal link display and Access Control.
SMB v2/3 mount support in Mobile Access blade.
Mobile Access Portal Agent
Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.
Enhanced Multi-Queue distribution of IPsec VPN traffic.
Enhancements for additional Dynamic Routing features:
OSPFv3 AH authentication for OSPFv3 protocol security.
IPv6 route aggregation - Reduces the number of prefixes advertised to neighbor routers to improve performance and scaling.
IPv4/IPv6 NAT-pool routes - Configure and redistribute NAT-pool routes to routing protocols.
Routing Information Protocol (RIP) route sync.
PIM restart capability.
Important: For a list of all Maestro-supported appliances, refer to sk162373.